th d congress session s. ll€¦ · 3 lyn20111 s.l.c. lrm k7 5my 1 (i) a person over which the...
TRANSCRIPT
LYN20111 S.L.C.
LRM K7 5MY
116TH CONGRESS 2D SESSION S. ll
To protect the privacy of consumers.
IN THE SENATE OF THE UNITED STATES
llllllllll
Mr. MORAN introduced the following bill; which was read twice and referred
to the Committee on llllllllll
A BILL To protect the privacy of consumers.
Be it enacted by the Senate and House of Representa-1
tives of the United States of America in Congress assembled, 2
SECTION 1. SHORT TITLE; TABLE OF CONTENTS. 3
(a) SHORT TITLE.—This Act may be cited as the 4
‘‘Consumer Data Privacy and Security Act of 2020’’. 5
(b) TABLE OF CONTENTS.—The table of contents of 6
this Act is as follows: 7
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Collection and processing of personal data.
Sec. 4. Right to know.
Sec. 5. Individual control.
Sec. 6. Security.
Sec. 7. Accountability.
Sec. 8. Rules relating to service providers.
Sec. 9. Enforcement.
Sec. 10. Relation to other laws.
2
LYN20111 S.L.C.
LRM K7 5MY
Sec. 11. Commission resources.
Sec. 12. Guidance and reporting.
Sec. 13. Severability.
Sec. 14. Effective date.
SEC. 2. DEFINITIONS. 1
In this Act: 2
(1) BIOMETRIC INFORMATION.—The term ‘‘bio-3
metric information’’ means information, resulting 4
from specific technical processing related to the 5
physical, biological, physiological, genetic, or behav-6
ioral characteristics of an individual, that identifies 7
the individual. 8
(2) COLLECTION.—The term ‘‘collection’’ 9
means acquiring personal data by any means, in-10
cluding by receiving, purchasing, or leasing the data 11
or by observing or interacting with the individual to 12
whom the data relates. 13
(3) COMMISSION.—The term ‘‘Commission’’ 14
means the Federal Trade Commission. 15
(4) COVERED ENTITY.— 16
(A) IN GENERAL.—The term ‘‘covered en-17
tity’’ means any entity that— 18
(i) alone, or jointly with others, deter-19
mines the purpose and means of collecting 20
or processing personal data; and 21
(ii) is— 22
3
LYN20111 S.L.C.
LRM K7 5MY
(I) a person over which the Com-1
mission has authority pursuant to sec-2
tion 5(a)(2) of the Federal Trade 3
Commission Act (15 U.S.C. 45(a)(2)); 4
(II) a common carrier subject to 5
the Communications Act of 1934 (47 6
U.S.C. 151 et seq.) and Acts amend-7
atory thereof and supplementary 8
thereto; or 9
(III) a nonprofit organization, in-10
cluding any organization that is not 11
organized to carry on business for its 12
own profit or that of its members. 13
(B) LIMITATION.—An entity shall not be 14
considered to be a covered entity with respect to 15
personal data to the extent that the entity is a 16
service provider with respect to such data. 17
(5) DE-IDENTIFY.—The term ‘‘de-identify’’ 18
means, with respect to personal data held by a cov-19
ered entity or service provider, that the covered enti-20
ty or service provider— 21
(A) alters, anonymizes, or aggregates the 22
data so that there is a reasonable basis for ex-23
pecting that the data could not be linked (in-24
4
LYN20111 S.L.C.
LRM K7 5MY
cluding by the entity or service provider) as a 1
practical matter to a specific individual; 2
(B) publicly commits to refrain from at-3
tempting to re-identify the data with a specific 4
individual, and adopts controls to prevent such 5
identification; and 6
(C) causes the data to be covered by a con-7
tractual or other legally enforceable prohibition 8
on each entity to which the covered entity or 9
service provider discloses the data from at-10
tempting to use the data to identify a specific 11
individual and requires the same of all onward 12
disclosures. 13
(6) DELETE.—The term ‘‘delete’’ means to re-14
move or destroy information such that the informa-15
tion is not able to be retrieved in the ordinary course 16
of business. 17
(7) INDIVIDUAL.—The term ‘‘individual’’ means 18
a natural person residing in the United States. 19
(8) MATERIAL CHANGE.—The term ‘‘material 20
change’’ means a change to a policy or practice of 21
a covered entity or service provider that— 22
(A) relates to the collection or processing 23
of personal data by the covered entity or service 24
provider; 25
5
LYN20111 S.L.C.
LRM K7 5MY
(B) is likely to affect the conduct or deci-1
sion of a reasonable individual with respect to 2
any personal data of the individual that is sub-3
ject to such policy or practice; and 4
(C) in the case of a service provider, is 5
made at the direction of the covered entity on 6
whose behalf the service provider is performing 7
a service or function. 8
(9) PERSONAL DATA.— 9
(A) IN GENERAL.—The term ‘‘personal 10
data’’ means information that identifies or is 11
linked or reasonably linkable to a specific indi-12
vidual. 13
(B) LINKED OR REASONABLY LINKABLE.— 14
(i) IN GENERAL.—For purposes of 15
subparagraph (A), information held by a 16
covered entity or service provider is linked 17
or reasonably linkable to a specific indi-18
vidual if it can be used on its own or in 19
combination with other information held 20
by, or readily accessible to, the covered en-21
tity or service provider to identify the indi-22
vidual. 23
(ii) APPLICATION TO DEVICE-LEVEL 24
IDENTIFIERS.—A persistent identifier that 25
6
LYN20111 S.L.C.
LRM K7 5MY
is used to identify a specific individual over 1
time and across services and platforms, in-2
cluding a customer number held in a cook-3
ie, a static Internet Protocol (IP) address, 4
a processor or device serial number, or an-5
other unique device identifier, shall be con-6
sidered information that is linked or rea-7
sonably linkable to the individual for pur-8
poses of subparagraph (A). 9
(C) EXCLUSION.—The term ‘‘personal 10
data’’ does not include— 11
(i) de-identified data; 12
(ii) data that has been rendered 13
unreadable or indecipherable; 14
(iii) information about employees or 15
employment status collected or used by an 16
employer pursuant to an employer-em-17
ployee relationship, including information 18
related to prospective employees and rel-19
evant application materials; 20
(iv) publicly available information; 21
(v) data that has undergone 22
pseudonymization; or 23
(vi) employee data. 24
7
LYN20111 S.L.C.
LRM K7 5MY
(D) EMPLOYEE DATA.—For purposes of 1
subparagraph (C), the term ‘‘employee data’’ 2
means information collected by a covered entity 3
or the service provider of a covered entity that 4
is— 5
(i) contact information for an indi-6
vidual or the individual’s emergency con-7
tact that is collected in the course of the 8
individual’s employment or application for 9
employment (including on a contract or 10
temporary basis) with the covered entity, 11
provided that such information is retained 12
or processed by the covered entity or serv-13
ice provider solely for purposes related to 14
the individual’s employment or application 15
for employment with the covered entity; or 16
(ii) information about an individual 17
who is an employee or former employee of 18
the covered entity (or a relative of such an 19
individual) that is necessary to administer 20
benefits to which such individual or rel-21
ative is entitled on the basis of the individ-22
ual’s employment with the covered entity, 23
provided that such data is retained or 24
processed by the covered entity or service 25
8
LYN20111 S.L.C.
LRM K7 5MY
provider solely for the purpose of admin-1
istering such benefits. 2
(10) PSEUDONYMIZATION.—The term 3
‘‘pseudonymization’’ means the processing of per-4
sonal data so that the personal data can no longer 5
be attributed or reasonably linked to a specific indi-6
vidual without the use of additional information, 7
provided that such additional information— 8
(A) is kept separately; and 9
(B) is subject to technical and organiza-10
tional measures to ensure that the personal 11
data is not attributed to a specific individual. 12
(11) PRIVACY OFFICER.—The term ‘‘privacy of-13
ficer’’ means an individual designated by a covered 14
entity or service provider under section 7(b)(1) to be 15
the privacy officer of the covered entity. 16
(12) PROCESSING.—The term ‘‘processing’’ 17
means any operation or set of operations performed 18
on personal data, including the analysis, organiza-19
tion, structuring, retaining, using, disclosing, trans-20
mitting, sharing, transferring, selling, licensing, or 21
otherwise handling of personal data. 22
(13) PUBLICLY AVAILABLE INFORMATION.— 23
(A) IN GENERAL.—The term ‘‘publicly 24
available information’’ means any information 25
9
LYN20111 S.L.C.
LRM K7 5MY
that a covered entity or service provider has a 1
reasonable basis to believe is lawfully made 2
available to the general public from— 3
(i) a Federal, State, or local govern-4
ment record; 5
(ii) widely distributed media; or 6
(iii) a disclosure to the general public 7
that is made voluntarily by an individual, 8
or required to be made by a Federal, 9
State, or local law. 10
(B) REASONABLE BASIS TO BELIEVE.— 11
For purposes of subparagraph (A), reasonable 12
bases for believing that information is lawfully 13
made available to the general public shall in-14
clude a written determination by a covered enti-15
ty or service provider that the information is of 16
a type that is lawfully made available to the 17
general public. 18
(14) SENSITIVE PERSONAL DATA.—The term 19
‘‘sensitive personal data’’ means personal data that 20
is— 21
(A) a unique, government-issued identifier, 22
such as a social security number, passport num-23
ber, driver’s license number, or taxpayer identi-24
fication number; 25
10
LYN20111 S.L.C.
LRM K7 5MY
(B) a user name or email address in com-1
bination with a password or security question 2
and answer that would permit access to an on-3
line account; 4
(C) biometric information of an individual; 5
(D) the content of a wire communication, 6
oral communication, or electronic communica-7
tion, as those terms are defined in section 2510 8
of title 18, United States Code, to which the in-9
dividual is a party, unless the covered entity is 10
the intended recipient of the communication; 11
(E) information that relates to— 12
(i) the past, present, or future diag-13
nosed physical or mental health or condi-14
tion of an individual; 15
(ii) the provision of health care to an 16
individual; or 17
(iii) the past, present, or future pay-18
ment for the provision of health care to an 19
individual; 20
(F) a financial account number, debit card 21
number, credit card number, if combined with 22
an access code, password, or credentials that 23
provide access to such an account; 24
(G) the race or ethnicity of the individual; 25
11
LYN20111 S.L.C.
LRM K7 5MY
(H) the religious beliefs or affiliation of 1
the individual; 2
(I) the sexual orientation of the individual; 3
(J) the precise geolocation of an individual 4
that is technically derived and that is capable of 5
determining with reasonable specificity the past 6
or present actual physical location of the indi-7
vidual more precisely than a zip code, street, or 8
town or city level; or 9
(K) such other specific categories of per-10
sonal data as the Commission may define by 11
rule issued in accordance with section 553 of 12
title 5, United States Code, the collection or 13
processing of which could lead to reasonably 14
foreseeable harm to an individual. 15
(15) SERVICE PROVIDER.—The term ‘‘service 16
provider’’ means an entity that collects or processes 17
personal data on behalf of, and at the direction of, 18
a covered entity to which the service provider is un-19
affiliated, but only— 20
(A) with respect to the personal data col-21
lected or processed on the behalf of, and at the 22
direction of, such covered entity; and 23
(B) to the extent that the collection or 24
processing— 25
12
LYN20111 S.L.C.
LRM K7 5MY
(i) is on the behalf of, and at the di-1
rection of, such covered entity; or 2
(ii) is permitted under section 3(c). 3
(16) SMALL BUSINESS.—The term ‘‘small busi-4
ness’’ means any covered entity or service provider 5
that— 6
(A) for the most recent 6-month period— 7
(i) employs not more than 500 em-8
ployees; and 9
(ii) maintains less than $50,000,000 10
in average gross receipts for the previous 3 11
years; and 12
(B) collects or processes on an annual 13
basis— 14
(i) the personal data of fewer than 15
1,000,000 individuals; or 16
(ii) the sensitive personal data of 17
fewer than 100,000 individuals. 18
(17) THIRD PARTY.— 19
(A) IN GENERAL.—The term ‘‘third party’’ 20
means a covered entity that receives third party 21
personal data from an unaffiliated covered enti-22
ty, but only with respect to such third party 23
personal data. 24
13
LYN20111 S.L.C.
LRM K7 5MY
(B) THIRD PARTY PERSONAL DATA.—For 1
purposes of subparagraph (A), the term ‘‘third 2
party personal data’’ means personal data that 3
a covered entity discloses to another unaffiliated 4
covered entity and such disclosure— 5
(i) is not directed by the individual to 6
whom the personal data relates; and 7
(ii) is not necessary to complete a 8
transaction or fulfill a request made by the 9
individual to whom such data relates. 10
(18) UNAFFILIATED.—The term ‘‘unaffiliated’’ 11
means, with respect to 2 or more entities, that the 12
entities do not share interrelated operations, com-13
mon management, centralized control of labor rela-14
tions, or common ownership or financial control. 15
SEC. 3. COLLECTION AND PROCESSING OF PERSONAL 16
DATA. 17
(a) REQUIREMENTS.— 18
(1) IN GENERAL.—Except as provided in para-19
graphs (2) and (3), a covered entity shall not collect 20
or process personal data of an individual unless— 21
(A) the individual has consented explicitly 22
or implicitly to such collection or processing for 23
a specific purpose, in accordance with sub-24
section (b); or 25
14
LYN20111 S.L.C.
LRM K7 5MY
(B) the covered entity collects or processes 1
the personal data in accordance with a permis-2
sible purpose described in subsection (c). 3
(2) APPLICATION TO THIRD PARTIES.— 4
(A) IN GENERAL.—A covered entity that is 5
a third party with respect to the personal data 6
of an individual may collect or process such per-7
sonal data without directly obtaining the indi-8
vidual’s consent as required under paragraph 9
(1)(A) if— 10
(i) the covered entity from whom the 11
third party received the personal data of 12
the individual involved— 13
(I) has provided the individual 14
with notice of— 15
(aa) the fact that the cov-16
ered entity would disclose the in-17
dividual’s personal data to the 18
third party; and 19
(bb) the purposes for which 20
the third party will collect or 21
process the personal data of the 22
individual; and 23
(II) the individual has consented 24
to such disclosure and such collection 25
15
LYN20111 S.L.C.
LRM K7 5MY
or processing of the individual’s per-1
sonal data; or 2
(ii) the third party collects or process 3
the personal data in accordance with a per-4
missible purpose described in subsection 5
(c). 6
(B) NOTICE AND CONSENT REQUIREMENT 7
FOR DIFFERENT OR ADDITIONAL COLLECTION 8
OR PROCESSING.—A covered entity that is a 9
third party with respect to the personal data of 10
an individual shall obtain the consent of such 11
individual in accordance with subsection (b) be-12
fore collecting or processing such personal data 13
if the specific purpose for such collection or 14
processing— 15
(i) is not a purpose described in para-16
graph (1), (2), (4), or (6) of subsection (c); 17
and 18
(ii) is different from, or in addition to, 19
the purpose for any collection or processing 20
to which the individual previously con-21
sented in accordance with subsection (b). 22
(C) DUTY TO EXERCISE REASONABLE DUE 23
DILIGENCE PRIOR TO RELIANCE ON COVERED 24
ENTITY REPRESENTATIONS.—For purposes of 25
16
LYN20111 S.L.C.
LRM K7 5MY
subparagraph (A), a covered entity that is a 1
third party with respect to the personal data of 2
an individual may reasonably rely on represen-3
tations made by the covered entity from whom 4
the third party received such data regarding the 5
notice provided to, and the consent obtained 6
from, such individual, provided that the third 7
party has determined, after exercising reason-8
able due diligence, that the covered entity is 9
credible. 10
(3) NOTICE AND CONSENT OBTAINED BY SERV-11
ICE PROVIDERS.—A service provider may provide no-12
tice to, and obtain consent from, an individual in ac-13
cordance with subsection (b) on behalf of a covered 14
entity. 15
(b) CONSENT.— 16
(1) IN GENERAL.— 17
(A) IMPLICIT CONSENT.—Except as pro-18
vided in subparagraph (B), an individual shall 19
be deemed to have consented to a request to 20
collect or process the individual’s personal data 21
if the individual fails to decline the request 22
after being provided with the notice described in 23
paragraph (2) and a reasonable amount of time 24
to respond to the request. 25
17
LYN20111 S.L.C.
LRM K7 5MY
(B) EXPRESS AFFIRMATIVE CONSENT RE-1
QUIREMENT.— 2
(i) IN GENERAL.—The express affirm-3
ative consent of an individual is required to 4
collect or process the personal data of the 5
individual if the collection or processing— 6
(I) involves sensitive personal 7
data of the individual; or 8
(II) involves the disclosure of 9
personal data to a third party for a 10
purpose that is not described in sub-11
section (c). 12
(ii) REQUIREMENTS FOR VALID EX-13
PRESS AFFIRMATIVE CONSENT.—For pur-14
poses of clause (i), the express affirmative 15
consent of an individual to a request to 16
collect or process the personal data of the 17
individual— 18
(I) shall be clearly, prominently, 19
and unmistakably stated; 20
(II) shall be provided in response 21
to a request that includes the notice 22
described in paragraph (2); and 23
(III) cannot be inferred from in-24
action. 25
18
LYN20111 S.L.C.
LRM K7 5MY
(2) NOTICE REQUIRED.— 1
(A) IN GENERAL.—In requesting the con-2
sent of an individual to collect or process the 3
individual’s personal data, a covered entity shall 4
provide the individual with notice, in a concise, 5
meaningful, timely, prominent, and easy-to-un-6
derstand format, that includes— 7
(i) the types of personal data collected 8
and processed; 9
(ii) a description of the purposes for 10
which the covered entity seeks to collect or 11
process that individual’s personal data; and 12
(iii) the information described in sub-13
paragraph (B). 14
(B) CONTENTS.—The notice provided by a 15
covered entity under subparagraph (A) shall in-16
clude— 17
(i) information on how the individual 18
may access the privacy policy of the cov-19
ered entity described in section 4(a); 20
(ii) information on how the individual 21
may exercise the rights provided for under 22
this Act; and 23
(iii) notice of whether the collection or 24
processing by the covered entity— 25
19
LYN20111 S.L.C.
LRM K7 5MY
(I) includes the disclosure of per-1
sonal data to third parties; or 2
(II) involves sensitive personal 3
data. 4
(C) SEPARATION.—If consent is obtained 5
in the context of a notice that also concerns 6
matters other than the collection or processing 7
of personal data, the request for consent shall 8
be presented in a manner that is clearly distin-9
guishable from the other matters. 10
(3) WITHDRAWAL OF CONSENT.— 11
(A) IN GENERAL.—A covered entity shall 12
provide an individual with the means to with-13
draw previously given consent to collect or proc-14
ess the personal data of the individual— 15
(i) at any time and place that is rea-16
sonably practicable; and 17
(ii) in a manner that is as accessible 18
as reasonably practicable. 19
(B) EFFECT.—A withdrawal made under 20
subparagraph (A)— 21
(i) shall take effect without undue 22
delay; 23
20
LYN20111 S.L.C.
LRM K7 5MY
(ii) shall remain in effect until the in-1
dividual revokes or limits that denial or 2
withdrawal; and 3
(iii) shall not apply to any collection 4
or processing of personal data that oc-5
curred before the date on which the with-6
drawal is made. 7
(c) PERMISSIBLE PURPOSES.—A covered entity or 8
service provider may collect or process the personal data 9
of an individual without consent to the extent that such 10
collection or processing is reasonably necessary and lim-11
ited to the following purposes (except that a covered entity 12
that is a third party with respect to personal data may 13
not collect or process such data without consent for the 14
purposes described in paragraphs (3), (5), and (6)): 15
(1) PROVISION OF SERVICE OR PERFORMANCE 16
OF A CONTRACT.—To— 17
(A) provide a service, perform a contract, 18
or conduct a transaction that the individual has 19
initiated; or 20
(B) take steps in furtherance of the re-21
quest initiated by of the individual prior to pro-22
viding the service or entering into a contract or 23
transaction. 24
21
LYN20111 S.L.C.
LRM K7 5MY
(2) COMPLIANCE WITH LAWS.—To comply with 1
a Federal, State, or local law or another applicable 2
legal requirement, including a subpoena, summons, 3
or other properly executed compulsory process, or to 4
exercise or defend a legal claim, as specifically au-5
thorized by law. 6
(3) IMMEDIATE DANGER.—To prevent immi-7
nent danger to the personal safety of any individual, 8
including by effectuating a product recall pursuant 9
to Federal or State law. 10
(4) FRAUD PREVENTION AND PROTECTION OF 11
SECURITY.—To protect the rights, property, services, 12
or information systems of the covered entity or serv-13
ice provider, or any individual, including to inves-14
tigate a possible crime or to protect against security 15
threats, abuse, malicious conduct, deception, fraud, 16
theft, unauthorized transactions, or any other unlaw-17
ful activity. 18
(5) RESEARCH.—In the case of a covered entity 19
only, to conduct research that— 20
(A) is performed for the primary purpose 21
of advancing a broadly recognized public inter-22
est; 23
(B) is performed by the covered entity (or 24
by a service provider at the direction of the cov-25
22
LYN20111 S.L.C.
LRM K7 5MY
ered entity) and is not disclosed to any third 1
party; 2
(C) is broadly compatible with the pur-3
poses for which the data was originally collected 4
or processed; and 5
(D) adheres to all applicable ethics and 6
privacy laws. 7
(6) OPERATIONAL PURPOSES.—To— 8
(A) perform internal operations or ana-9
lytics for a product or service offered by the 10
covered entity or service provider, such as bill-11
ing, shipping, internal systems maintenance, 12
diagnostics, inventory management, financial 13
reporting or accounting, serving an internet 14
website, or network management; 15
(B) use on a short-term, transient basis, 16
provided that the personal data— 17
(i) is not disclosed to a third party; 18
and 19
(ii) is not used to build a persistent 20
profile of the individual; 21
(C) in the case of a covered entity only, 22
market or advertise a service or product to an 23
individual if the personal data used for the 24
marketing or advertising was collected directly 25
23
LYN20111 S.L.C.
LRM K7 5MY
from the individual by the covered entity or by 1
a service provider on behalf of the covered enti-2
ty; 3
(D) improve a product, service, or activity 4
used, requested, or authorized by the individual, 5
including analytics, forecasting, the repair of er-6
rors that impair existing intended functionality, 7
actions to verify or maintain quality or safety of 8
the product, service, or activity, or the ongoing 9
provision of customer service and support by 10
the covered entity or service provider; or 11
(E) other additional specific categories of 12
operational purposes that the Commission may 13
define by rule, issued in accordance with section 14
553 of title 5, United States Code. 15
(d) LIMITING THE RETENTION OF SENSITIVE PER-16
SONAL DATA.—A covered entity shall delete or de-identify 17
sensitive personal data, and shall direct its service pro-18
viders to delete or de-identify sensitive personal data, after 19
the data is no longer reasonably necessary to accomplish 20
the intended purposes permitted by this section, unless 21
such deletion or de-identification is impossible or demon-22
strably impracticable. 23
(e) BANKRUPTCY.—If a covered entity or service pro-24
vider commences a case under title 11 of the United States 25
24
LYN20111 S.L.C.
LRM K7 5MY
Code, and the case or any proceeding under the case is 1
expected to lead to the disclosure of the personal data of 2
any individual, the covered entity or service provider shall, 3
in a reasonable amount of time before the disclosure, pro-4
vide each individual whose personal data is subject to the 5
disclosure with— 6
(1) a notice of the proposed disclosure, includ-7
ing— 8
(A) the name of each third party to which 9
the personal data will be disclosed; and 10
(B) a description of the policies and prac-11
tices relating to personal data of each such 12
third party; and 13
(2) the opportunity to— 14
(A) deny consent, or withdraw previously 15
given consent, to the disclosure of the personal 16
data; or 17
(B) request that the covered entity or serv-18
ice provider delete or de-identify the personal 19
data. 20
SEC. 4. RIGHT TO KNOW. 21
(a) IN GENERAL.—A covered entity shall make pub-22
licly available, in a clear and prominent location and in 23
easy-to-understand language, a privacy policy that in-24
cludes— 25
25
LYN20111 S.L.C.
LRM K7 5MY
(1) a clear and specific description of the enti-1
ty’s policies and practices with respect to personal 2
data; 3
(2) a clear and specific description of the rights 4
of individuals with respect to their personal data (in-5
cluding the rights described in section 5) and infor-6
mation on how to exercise those rights; and 7
(3) the information described in subsection (c). 8
(b) AVAILABILITY OF PREVIOUS VERSIONS.—A cov-9
ered entity shall make publicly available any previous 10
version of a privacy policy required under subsection (a). 11
(c) CONTENTS.—A privacy policy required under sub-12
section (a) shall include— 13
(1) the identity and the contact details of the 14
covered entity, including, where applicable, the rep-15
resentative of the covered entity for purposes of pri-16
vacy inquiries or its privacy officer; 17
(2) a clear description of each category of per-18
sonal data collected by the covered entity and the 19
purposes for which each such category is collected 20
and processed; 21
(3) a clear description of any relevant retention 22
periods (if possible) and any criteria and other infor-23
mation with respect to the deletion or de-identifica-24
26
LYN20111 S.L.C.
LRM K7 5MY
tion of personal data collected and processed by the 1
covered entity; 2
(4) whether, and for what purposes, the covered 3
entity discloses personal data to third parties, each 4
category of personal data disclosed to third parties, 5
and the types of third parties to which those cat-6
egories of personal data are disclosed; 7
(5) whether, and for what purposes, the covered 8
entity receives personal data from third parties, the 9
categories of personal data received from third par-10
ties, and the types of third parties from which the 11
covered entity receives personal data; 12
(6) a clear description of the process by which 13
the covered entity informs individuals of material 14
changes to its policies and practices with respect to 15
its collection and processing of personal data; 16
(7) the specific steps an individual may take to 17
minimize the collection or processing by the covered 18
entity of the individual’s personal data, and the rel-19
evant implications to the individual from minimizing 20
such collection or processing; 21
(8) the effective date of the privacy policy. 22
(d) EXCEPTIONS.—A covered entity shall not be re-23
quired to make available a privacy policy under this sub-24
27
LYN20111 S.L.C.
LRM K7 5MY
section with respect to the collection or processing of per-1
sonal data that is reasonably necessary and limited to— 2
(1) an in-person transaction where the personal 3
data is not processed for further purposes incompat-4
ible with that transaction; 5
(2) comply a Federal, State, or local law or an-6
other applicable legal requirement, including a sub-7
poena, summons, or other properly executed compul-8
sory process; 9
(3) prevent imminent danger to the personal 10
safety of any individual; or 11
(4) protect the rights or data security of the 12
covered entity, a service provider of the covered enti-13
ty, or any individual, including to investigate a pos-14
sible crime or to protect against security threats, 15
abuse, fraud, theft, unauthorized transactions, or 16
any other unlawful activity. 17
(e) MATERIAL CHANGES.— 18
(1) IN GENERAL.—A covered entity, upon any 19
material change to the privacy policy of the covered 20
entity or a material change to the privacy policy of 21
a service provider that is made at the direction of 22
the covered entity— 23
(A) shall notify each individual whose per-24
sonal data is collected or processed by the cov-25
28
LYN20111 S.L.C.
LRM K7 5MY
ered entity, or a service provider on behalf of 1
the covered entity, with a description of the ma-2
terial change, including— 3
(i) change to the categories of per-4
sonal data the covered entity or service 5
provider processes; 6
(ii) change to the purposes for which 7
the covered entity or service provider proc-8
esses personal data; 9
(iii) change to the manner in which 10
the covered entity or service provider dis-11
closes personal data to third parties; and 12
(iv) which, if any, changes are retro-13
active; and 14
(B) shall not process (or, in the case of a 15
material change to the privacy policy of a serv-16
ice provider that is directed by the covered enti-17
ty, shall not direct the service provider to proc-18
ess) any sensitive personal data of an individual 19
that was collected by the covered entity or serv-20
ice provider before the effective date of the ma-21
terial change in a manner that is inconsistent 22
with the privacy policy that was applicable at 23
the time such data was collected until the indi-24
29
LYN20111 S.L.C.
LRM K7 5MY
vidual provides express affirmative consent to 1
such processing. 2
(2) DIRECT NOTICE OF MATERIAL CHANGE TO 3
AFFECTED INDIVIDUALS.—A covered entity shall, if 4
operationally and technically feasible, directly pro-5
vide the notice of a material change required under 6
paragraph (1)(A) to each affected individual, taking 7
into account available technology and the nature of 8
the relationship between the covered entity and the 9
individual. 10
(3) PUBLIC NOTICE OF MATERIAL CHANGE.— 11
Where directly providing the notice of a material 12
change required under paragraph (1)(A) to each af-13
fected individual is impossible or demonstrably im-14
practicable, a covered entity— 15
(A) shall publish the notice in a reasonably 16
prominent location; and 17
(B) shall not process personal data that 18
was collected by the covered entity before the 19
effective date of the material change in a man-20
ner that is inconsistent with the privacy policy 21
that was applicable at the time such data was 22
collected until after the notice has been so pub-23
lished for a period of time that is reasonably 24
sufficient to give affected individuals the oppor-25
30
LYN20111 S.L.C.
LRM K7 5MY
tunity to exercise their rights with respect to 1
their personal data. 2
SEC. 5. INDIVIDUAL CONTROL. 3
(a) PRIVACY CONTROLS.—Each covered entity 4
shall— 5
(1) provide each individual whose personal data 6
is collected or processed by the covered entity with 7
a reasonably accessible, clear and conspicuous, and 8
easy-to-use means to exercise the individual’s rights 9
established under this section with respect to such 10
data; 11
(2) if applicable, offer the means required 12
under paragraph (1) through the same means that 13
the individual routinely uses to interact with the cov-14
ered entity; and 15
(3) make the means required under paragraph 16
(1) available at no additional cost to the individual. 17
(b) RIGHT TO ACCESS.— 18
(1) IN GENERAL.—A covered entity shall, in re-19
sponse to a verified request from an individual— 20
(A) confirm whether or not the covered en-21
tity has collected or processed the personal data 22
of the individual; and 23
(B) if the covered entity has collected or 24
processed the personal data of the individual, 25
31
LYN20111 S.L.C.
LRM K7 5MY
provide, within a reasonable time after receiving 1
the request, the individual with— 2
(i) a copy, or an accurate representa-3
tion, of the personal data pertaining to the 4
individual collected and processed by the 5
covered entity; and 6
(ii) a list of the categories of third 7
parties to which the covered entity has dis-8
closed the personal data of the individual, 9
if applicable. 10
(2) EASE OF ACCESS.— 11
(A) FORMAT.—The covered entity shall 12
provide the information described in paragraph 13
(1)(B) in an electronic format unless— 14
(i) the individual requests to receive 15
the information by other means; or 16
(ii) providing the information elec-17
tronically is impossible or demonstrably 18
impracticable. 19
(B) DATA PORTABILITY.—If a covered en-20
tity provides an individual with information in 21
an electronic format under subparagraph (A), 22
the covered entity shall, where technically fea-23
sible and reasonably practicable, provide the in-24
dividual with— 25
32
LYN20111 S.L.C.
LRM K7 5MY
(i) the ability to export the personal 1
data generated and submitted by the indi-2
vidual in a structured, commonly-used, and 3
machine-readable format; and 4
(ii) the ability to transmit such infor-5
mation to another entity without con-6
straints or conditions. 7
(c) RIGHTS TO ACCURACY AND CORRECTION.— 8
(1) IN GENERAL.—A covered entity shall estab-9
lish reasonable procedures designed to— 10
(A) ensure that the personal data that the 11
covered entity collects and processes with re-12
spect to an individual is accurate and up-to- 13
date; and 14
(B) provide individuals with the ability to 15
submit a verified request to the covered entity 16
to— 17
(i) dispute the accuracy and complete-18
ness of such personal data; and 19
(ii) request the appropriate correction 20
of such personal data. 21
(2) DISPUTE AND CORRECTION.—Each covered 22
entity shall ensure that the ability of an individual 23
to dispute or request that the covered entity correct 24
personal data as described in paragraph (1) is pro-25
33
LYN20111 S.L.C.
LRM K7 5MY
vided in a manner that is appropriate and reason-1
able based on the benefits and risks of harm to the 2
individual regarding the accuracy of the personal 3
data. 4
(3) EXCEPTIONS FOR PUBLICLY AVAILABLE IN-5
FORMATION.—A covered entity shall not be required 6
to verify the accuracy of publicly available informa-7
tion if the covered entity has reasonable procedures 8
to ensure that the publicly available information as-9
sembled or maintained by the covered entity accu-10
rately reflects the information available to the gen-11
eral public. 12
(d) RIGHT TO ERASURE.— 13
(1) IN GENERAL.—Except for personal data 14
collected and processed in accordance with a permis-15
sible purpose described in section 3(c), upon a 16
verified request from an individual, a covered entity 17
shall, without undue delay, delete or de-identify the 18
personal data of the individual, and shall direct any 19
service providers of the covered entity to delete or 20
de-identify such data. 21
(2) SPECIAL CONSIDERATIONS.—In determining 22
whether a covered entity that is a small business has 23
complied with a verified request under paragraph (1) 24
in a timely fashion, the Commission shall take into 25
34
LYN20111 S.L.C.
LRM K7 5MY
account the amount of time that the entity requires 1
to comply with the request considering the technical 2
feasibility, cost, and burden to the entity of com-3
plying with the request. 4
(e) FREQUENCY AND COST TO EXERCISE RIGHTS.— 5
(1) IN GENERAL.—A covered entity— 6
(A) shall comply with a verified request 7
from any individual to exercise each of the 8
rights described in subsections (b), (c), and (d) 9
not less frequently than twice in any 12-month 10
period; and 11
(B) the first 2 times that an individual 12
makes a verified request described in subpara-13
graph (A) in any 12-month period, shall comply 14
with such requests without any charge to the 15
individual. 16
(2) MANIFESTLY UNFOUNDED AND EXCESSIVE 17
REQUESTS.—If an individual submits a manifestly 18
unfounded or frivolous request to exercise a right 19
under subsection (b), (c), or (d), or an excessive 20
number of requests under such subsections, the cov-21
ered entity may— 22
(A) charge a reasonable fee, taking into ac-23
count the administrative costs of providing the 24
35
LYN20111 S.L.C.
LRM K7 5MY
personal data, communication, or taking the ac-1
tion requested by the individual; or 2
(B) refuse to act on the request. 3
(f) VERIFIED REQUEST.— 4
(1) IN GENERAL.—A request to exercise a right 5
described in this section shall only be considered a 6
‘‘verified request’’ if the covered entity verifies that 7
the individual making the request is the individual 8
whose personal data is the subject of the request. 9
(2) VERIFICATION OF IDENTITY.— 10
(A) IN GENERAL.—A covered entity shall 11
make a reasonable effort to verify the identity 12
of any individual who submits a request to exer-13
cise a right under this section. 14
(B) ADDITIONAL INFORMATION.—If a cov-15
ered entity cannot verify the identity of the in-16
dividual submitting a request under this sub-17
section, the covered entity— 18
(i) may request that the individual 19
provide such additional information as is 20
necessary to confirm the identity of the in-21
dividual; and 22
(ii) shall only process additional infor-23
mation provided under clause (i) for the 24
36
LYN20111 S.L.C.
LRM K7 5MY
purpose of verifying the identity of the in-1
dividual. 2
(g) DECLINATION OF REQUESTS.— 3
(1) IN GENERAL.—A covered entity— 4
(A) shall decline to act on a request under 5
this section where, after undertaking a reason-6
able effort, the entity cannot verify that the in-7
dividual making the request is the individual 8
whose personal data is the subject of the re-9
quest; 10
(B) may decline to act on a request under 11
this section where fulfilling the request would— 12
(i) require the covered entity or a 13
service provider of the covered entity to re-14
tain any personal data collected for a sin-15
gle, one-time transaction, if such personal 16
data is not processed for additional pur-17
poses; 18
(ii) be impossible or demonstrably im-19
practicable, or require any steps or meas-20
ures to re-identify, or otherwise alter or 21
manipulate, information that is de-identi-22
fied; 23
(iii) be contrary to the legitimate in-24
terests of the covered entity or a service 25
37
LYN20111 S.L.C.
LRM K7 5MY
provider of the covered entity, such as 1
completing a transaction, repairing 2
functionality or errors, or performing a 3
contract between the covered entity and 4
the individual; 5
(iv) impair the ability of the covered 6
entity or a service provider of the covered 7
entity to detect or respond to a security in-8
cident, provide a secure environment, or 9
protect against malicious, deceptive, fraud-10
ulent, or illegal activity; 11
(v) hinder compliance with a legal ob-12
ligation or legally recognized privilege, 13
such as a requirement to retain certain in-14
formation, or the establishment, exercise, 15
or defense of legal claims; 16
(vi) interfere with research (conducted 17
in accordance with section 3(c)(5)) when 18
the deletion of the personal data is likely 19
to render impossible or seriously impair 20
such research; or 21
(vii) create a legitimate risk to the 22
privacy, security, safety, or other rights of 23
the individual, an individual other than the 24
requester, or the covered entity, based on 25
38
LYN20111 S.L.C.
LRM K7 5MY
a reasonable individualized determination 1
by the covered entity; and 2
(C) shall not be required to act on a re-3
quest under this section if the covered entity is 4
unable to fulfill the request because— 5
(i) the covered entity requires the as-6
sistance of a service provider to fulfill the 7
request; and 8
(ii) the service provider has informed 9
the covered entity that the service provider 10
is unable to assist the covered entity in ful-11
filling the request for a reason specified in 12
section 8(c)(3)(A)(ii)(IV). 13
(2) NOTICE OF REASONS FOR DECLINATION.— 14
If the covered entity declines to act on a request 15
pursuant to paragraph (1), the covered entity shall 16
inform the individual who made the request of the 17
reasons for such declination and any rights the indi-18
vidual may have to appeal the decision of the cov-19
ered entity. 20
(h) EXCEPTION FOR SMALL BUSINESSES.—The re-21
quirements under subsections (b) and (c) shall not apply 22
to a covered entity that is a small business. 23
(i) GUIDANCE.—The Commission shall, after con-24
sulting with and soliciting comments from consumer data 25
39
LYN20111 S.L.C.
LRM K7 5MY
industry representatives, issue guidance describing non-1
binding best practices for covered entities and service pro-2
viders of different business sizes and types to develop pri-3
vacy controls as described in this section. 4
SEC. 6. SECURITY. 5
(a) IN GENERAL.—Each covered entity and service 6
provider shall develop, document, implement, and main-7
tain a comprehensive data security program that contains 8
reasonable administrative, technical, and physical safe-9
guards designed to protect the security, confidentiality, 10
and integrity of personal data from unauthorized access, 11
use, destruction, acquisition, modification, or disclosure. 12
(b) CONSIDERATIONS OF SAFEGUARDS.—The safe-13
guards required under subsection (a) with respect to a cov-14
ered entity or service provider shall be appropriate to— 15
(1) the size, complexity, and resources of the 16
covered entity or service provider; 17
(2) the nature and scope of the activities of the 18
covered entity or service provider; 19
(3) the technical feasibility and cost of available 20
tools, external audits or assessments, and other 21
measures used by the covered entity or service pro-22
vider to improve security and reduce vulnerabilities; 23
(4) the sensitivity of the personal data involved; 24
and 25
40
LYN20111 S.L.C.
LRM K7 5MY
(5) the potential for unauthorized access, use, 1
destruction, acquisition, modification, or disclosure 2
of the personal data involved to result in economic 3
loss, identity theft, fraud, or physical injury to the 4
individuals to whom such data relates. 5
(c) REQUIREMENTS FOR PROGRAM.—A comprehen-6
sive data security program under this section shall be de-7
signed to, at a minimum— 8
(1) designate an employee or employees to be 9
responsible for overseeing and maintaining its safe-10
guards; 11
(2) identify material internal and external risks 12
to the security and confidentiality of personal data 13
and assess the sufficiency of any safeguards in place 14
to control these risks, including consideration of 15
risks in each relevant area of the operations of the 16
covered entity or service provider, including— 17
(A) employee training and management; 18
(B) information systems, including net-19
work and software design, as well as informa-20
tion processing, storage, transmission, and dis-21
posal; 22
(C) detecting, preventing, and responding 23
to attacks, intrusions, or other systems failures; 24
and 25
41
LYN20111 S.L.C.
LRM K7 5MY
(D) whether the covered entity or service 1
provider has taken action to address and pre-2
vent reasonably known and addressable security 3
vulnerabilities; 4
(3) implement safeguards designed to control 5
the risks identified in the covered entity’s or service 6
provider’s risk assessment, and regularly assess the 7
effectiveness of those safeguards; 8
(4) maintain reasonable procedures to require 9
that third parties and service providers to whom per-10
sonal data is transferred by the covered entity or 11
service provider involved maintain reasonable admin-12
istrative, technical, and physical safeguards designed 13
to protect the security and confidentiality of per-14
sonal data; and 15
(5) evaluate and make reasonable adjustments 16
to the safeguards in light of material changes in 17
technology, internal or external threats to personal 18
data, and the changing business arrangements or 19
operations of the covered entity or service provider. 20
SEC. 7. ACCOUNTABILITY. 21
(a) DEFINITION OF APPLICABLE ENTITY.—In this 22
section, the term ‘‘applicable entity’’ means a covered enti-23
ty or service provider that, on an annual basis, conducts 24
collection and processing of— 25
42
LYN20111 S.L.C.
LRM K7 5MY
(1) the personal data of more than 20,000,000 1
individuals; or 2
(2) the sensitive personal data of more than 3
1,000,000 individuals. 4
(b) PRIVACY OFFICER.— 5
(1) DESIGNATION.—Each applicable entity 6
shall— 7
(A) designate an employee of the applica-8
ble entity, or an individual who is a contractor 9
of the applicable entity, to be the privacy officer 10
responsible for overseeing its policies and prac-11
tices relating to the collection and processing of 12
personal data; and 13
(B) ensure that the privacy officer is in-14
volved in all issues relating to the privacy and 15
security of personal data. 16
(2) CONFLICTS OF INTEREST.—The privacy of-17
ficer may perform other tasks and duties for the ap-18
plicable entity, but only to the extent that the appli-19
cable entity ensures that the performance of those 20
other tasks or duties does not present a conflict of 21
interest with respect to the duties and responsibil-22
ities of the privacy officer role. 23
(3) RESPONSIBILITIES.—The privacy officer 24
shall— 25
43
LYN20111 S.L.C.
LRM K7 5MY
(A) inform and advise the applicable entity 1
of the obligations of the applicable entity under 2
this Act; 3
(B) monitor compliance by the applicable 4
entity with this Act; 5
(C) oversee— 6
(i) in the case of an applicable entity 7
that is a covered entity, each privacy im-8
pact assessment carried out under sub-9
section (c); and 10
(ii) the comprehensive privacy pro-11
gram implemented under subsection (d); 12
and 13
(D) act as a contact for the Commission, 14
other Federal, State, and local authorities, and 15
the applicable entity with respect to matters re-16
lating to the privacy and security of personal 17
data. 18
(c) CONSIDERATION OF PRIVACY IMPLICATIONS OF 19
MATERIAL CHANGES IN PROCESSING SENSITIVE PER-20
SONAL DATA.— 21
(1) IN GENERAL.—If an applicable entity that 22
is a covered entity intends to begin a new collection 23
or processing activity or to make a material change 24
in its processing of sensitive personal data, the ap-25
44
LYN20111 S.L.C.
LRM K7 5MY
plicable entity shall, before beginning the new proc-1
essing activity or making the material change, con-2
sider the privacy implications, if any of the change. 3
(2) CONSIDERATIONS.—An applicable entity 4
that is a covered entity shall ensure, in considering 5
the privacy implications of a material change as re-6
quired under paragraph (1), that the consideration 7
is reasonable and appropriate with respect to the 8
sensitive personal data that will be affected by the 9
new processing activity or the material change in 10
processing by considering— 11
(A) the nature and volume of the sensitive 12
personal data; and 13
(B) the potential for the new processing 14
activity or the material change to be a proxi-15
mate cause of harm to individuals to whom the 16
sensitive personal data pertains. 17
(3) APPROVAL.—The privacy officer shall be re-18
quired to approve the findings of a privacy impact 19
assessment carried out under paragraph (1) before 20
a applicable entity that is a covered entity may begin 21
the new processing activity or make the material 22
change that is the subject of the privacy impact as-23
sessment. 24
45
LYN20111 S.L.C.
LRM K7 5MY
(4) DOCUMENTATION.—An applicable entity 1
that is a covered entity shall document and maintain 2
in written form any privacy impact assessment car-3
ried out under paragraph (1) if the new processing 4
activity or material change that is the subject of the 5
privacy impact assessment involves sensitive personal 6
data. 7
(d) COMPREHENSIVE PRIVACY PROGRAM.— 8
(1) IN GENERAL.—Each applicable entity shall 9
implement a comprehensive privacy program to safe-10
guard the privacy and security of personal data col-11
lected or processed by the applicable entity for the 12
life cycle of development and operational practices of 13
its products or services, including by— 14
(A) enhancing the privacy and security of 15
personal data collected or processed by the ap-16
plicable entity through appropriate technical or 17
operational safeguards, such as encryption, de- 18
identification, and other privacy enhancing 19
technologies; 20
(B) verifying that the applicable entity’s 21
practices relating to the collection and proc-22
essing of personal data are consistent with— 23
(i) the entity’s policies and docu-24
mentation of such policies; 25
46
LYN20111 S.L.C.
LRM K7 5MY
(ii) in the case of an applicable entity 1
that is a covered entity, representations 2
the entity makes to individuals; and 3
(iii) in the case of an applicable entity 4
that is a service provider, representations 5
the entity makes to covered entities to 6
which the entity provides services; and 7
(C) ensuring that the privacy controls of 8
the applicable entity are adequately accessible 9
to, and effective at safeguarding the expressed 10
preferences of— 11
(i) in the case of an applicable entity 12
that is a covered entity, each individual 13
whose personal data is collected or proc-14
essed by the covered entity (excluding any 15
personal data with respect to which the 16
covered entity is a third party); and 17
(ii) in the case of an applicable entity 18
that is a service provider, each covered en-19
tity to which the entity provides services. 20
(2) CONSIDERATIONS.—In implementing a com-21
prehensive privacy program under paragraph (1), 22
each applicable entity shall— 23
47
LYN20111 S.L.C.
LRM K7 5MY
(A) take into consideration, as applicable 1
given the entity’s role as a covered entity or 2
service provider— 3
(i) the relevant risks to the privacy 4
and security of personal data against 5
which the applicable entity must guard in 6
meeting the expectations of individuals; 7
(ii) the requirements under this Act; 8
(iii) the size and complexity of the ap-9
plicable entity; and 10
(iv) the sensitivity and volume of the 11
personal data that the applicable entity 12
processes; and 13
(B) address the findings and implement 14
the recommendations contained in privacy im-15
pact assessments that the applicable entity car-16
ries out under subsection (c). 17
SEC. 8. RULES RELATING TO SERVICE PROVIDERS. 18
(a) OBLIGATIONS OF COVERED ENTITIES WITH RE-19
SPECT TO SERVICE PROVIDERS.— 20
(1) IN GENERAL.—A covered entity shall only 21
disclose personal data to a service provider pursuant 22
to a contract that is binding on both parties and 23
meets the requirements of subsection (b). 24
(2) DUE DILIGENCE.— 25
48
LYN20111 S.L.C.
LRM K7 5MY
(A) IN GENERAL.—Any covered entity that 1
discloses personal data to a service provider 2
shall— 3
(i) take reasonable steps to identify 4
whether the service provider has estab-5
lished appropriate procedures and controls 6
for ensuring the privacy and security of 7
the personal data in a manner that com-8
plies with the requirements of this Act, in-9
cluding through reasonable representations 10
made to the covered entity by the service 11
provider in the contract governing the dis-12
closure of personal data to the service pro-13
vider; and 14
(ii) investigate any circumstances for 15
which a reasonable person would determine 16
that there is a high probability that the 17
service provider is not in compliance with 18
a requirement of this Act, and, if necessary 19
based on the findings of such investigation, 20
take reasonable steps to protect the pri-21
vacy and security of any personal data dis-22
closed by the covered entity to the service 23
provider that is at risk as a result of the 24
49
LYN20111 S.L.C.
LRM K7 5MY
service provider’s noncompliance with a re-1
quirement of this Act. 2
(B) CONSIDERATIONS.—In determining 3
whether a covered entity has acted reasonably 4
in complying with clause (i) or (ii) of subpara-5
graph (A), the Commission shall take into ac-6
count— 7
(i) the size, complexity, and resources 8
of the covered entity and whether the cov-9
ered entity is a small business; and 10
(ii) the risk of harm reasonably ex-11
pected to occur as a result of the covered 12
entity disclosing personal data to a service 13
provider without complying with such 14
clause. 15
(b) CONTRACTUAL REQUIREMENTS.— 16
(1) IN GENERAL.—A contract between a cov-17
ered entity and a service provider governing the dis-18
closure of personal data by the covered entity to the 19
service provider shall— 20
(A) require the service provider to only col-21
lect or process the personal data as directed by 22
the covered entity; 23
(B) establish the purposes for, and means 24
of, the collecting or processing of the personal 25
50
LYN20111 S.L.C.
LRM K7 5MY
data by the service provider, including instruc-1
tions, policies, and practices, as applicable, with 2
which the service provider is required to com-3
ply; and 4
(C) include a reasonable representation by 5
the service provider indicating that the service 6
provider has established appropriate procedures 7
and controls to comply with the requirements of 8
this Act. 9
(2) LIMITATION.—No contract governing the 10
disclosure of personal data by a covered entity to a 11
service provider shall relieve a covered entity or serv-12
ice provider of any requirement or obligation with 13
respect to such personal data that is imposed on the 14
covered entity or service provider, as applicable, by 15
this Act. 16
(c) SERVICE PROVIDER OBLIGATIONS.— 17
(1) NOTICE OF PROCESSING OF PERSONAL 18
DATA TO COMPLY WITH LEGAL REQUIREMENT.—In 19
the event that a service provider is required to proc-20
ess personal data in order to comply with a legal re-21
quirement, including a subpoena, summons, or other 22
properly executed compulsory process, the service 23
provider shall inform the covered entity from which 24
it received the personal data involved of such legal 25
51
LYN20111 S.L.C.
LRM K7 5MY
requirement before such processing, unless the serv-1
ice provider is otherwise prohibited by law from pro-2
viding such notification. 3
(2) NOTICE OF CHANGE TO POLICIES OR PRAC-4
TICES.—If a service provider amends its policies or 5
practices relating to personal data in a manner that 6
is relevant to compliance with any provision of this 7
Act, the service provider shall provide reasonable no-8
tice in advance of such change to any covered entity 9
on whose behalf the service provider collects or proc-10
esses personal data. 11
(3) RESPONSIBILITIES.— 12
(A) INDIVIDUAL CONTROL REQUESTS.—A 13
service provider that collects or processes per-14
sonal data on behalf of a covered entity shall, 15
to the extent possible, either— 16
(i) provide the covered entity with ap-17
propriate technical and organizational 18
measures to enable the covered entity to 19
comply with requests to exercise rights de-20
scribed in section 5 with respect to any 21
such personal data that is held by, and 22
reasonably accessible to, the service pro-23
vider; or 24
52
LYN20111 S.L.C.
LRM K7 5MY
(ii) respond to any request made by 1
the covered entity for assistance in com-2
plying with a request to exercise such a 3
right with respect to such personal data 4
that the covered entity has verified as de-5
scribed in section 5(f) and has determined 6
must be complied with under this Act by, 7
as appropriate— 8
(I) in the case of a request de-9
scribed in subsection (b) of section 5, 10
providing the covered entity with ac-11
cess to any relevant personal data 12
held by, and reasonably available to, 13
the service provider; 14
(II) in the case of a request de-15
scribed in subsection (c) of such sec-16
tion, by correcting any relevant per-17
sonal data held by, and reasonably ac-18
cessible to, the service provider, and 19
providing the covered entity with no-20
tice of such correction; 21
(III) in the case of a request de-22
scribed in subsection (d) of such sec-23
tion, by deleting, de-identifying, or re-24
turning to the covered entity any rel-25
53
LYN20111 S.L.C.
LRM K7 5MY
evant personal data held by, and rea-1
sonably accessible to, the service pro-2
vider, and providing the covered entity 3
with notice of such action; or 4
(IV) informing the covered entity 5
that— 6
(aa) the service provider 7
does not hold any personal data 8
related to the request; 9
(bb) the service provider 10
cannot reasonably access any 11
personal data related to the re-12
quest; or 13
(cc) complying with the re-14
quest would be inconsistent with 15
a legal requirement to which the 16
service provider is subject. 17
(B) DELETION OF DATA UPON COMPLE-18
TION OF SERVICE.—Except as otherwise re-19
quired by law, as soon as practicable after the 20
completion of the service or function for which 21
a service provider collected or processed per-22
sonal data on behalf of a covered entity, the 23
service provider shall delete, de-identify, or re-24
54
LYN20111 S.L.C.
LRM K7 5MY
turn to the covered entity all such personal 1
data. 2
(C) ASSURANCE OF COMPLIANCE.— 3
(i) IN GENERAL.—Subject to clause 4
(ii), a service provider shall make available 5
to a covered entity on whose behalf the 6
service provider collects or processes per-7
sonal data information necessary to dem-8
onstrate the service provider’s compliance 9
with subparagraph (A). 10
(ii) WRITTEN REPRESENTATION OF 11
COMPLIANCE.—If the information de-12
scribed in clause (i) is not technically avail-13
able to a service provider, the service pro-14
vider may comply with clause (i) by pro-15
viding the covered entity with a written 16
representation stating that the service pro-17
vider is in compliance with subparagraph 18
(A). 19
(4) SUBCONTRACTOR REQUIREMENTS.—A serv-20
ice provider that is collecting or processing personal 21
data on behalf of a covered entity shall not employ 22
a subcontractor to carry out or assist in such collec-23
tion or processing unless— 24
55
LYN20111 S.L.C.
LRM K7 5MY
(A) the service provider has provided the 1
covered entity with an opportunity to object to 2
the use of such subcontractor; and 3
(B) the subcontractor is subject (pursuant 4
to an agreement between the service provider 5
and the subcontractor) to the same require-6
ments and obligations as the service provider 7
with respect to the collection and processing of 8
the personal data. 9
(5) CONSIDERATIONS.—In determining whether 10
a service provider has acted reasonably in complying 11
with this subsection, the Commission shall take into 12
account— 13
(A) the size, complexity, and resources of 14
the service provider and whether the service 15
provider is a small business; and 16
(B) the risk of harm reasonably expected 17
to occur as a result of the service provider not 18
complying with this subsection. 19
SEC. 9. ENFORCEMENT. 20
(a) ENFORCEMENT BY THE COMMISSION.— 21
(1) UNFAIR OR DECEPTIVE ACTS OR PRAC-22
TICES.—A violation of this Act or a regulation pro-23
mulgated under this Act shall be treated as an un-24
fair or deceptive act or practice in violation of a rule 25
56
LYN20111 S.L.C.
LRM K7 5MY
promulgated under section 18(a)(1)(B) of the Fed-1
eral Trade Commission Act (15 U.S.C. 2
57a(a)(1)(B)). 3
(2) POWERS OF THE COMMISSION.— 4
(A) IN GENERAL.—Except as provided in 5
subparagraph (C), the Commission shall enforce 6
this Act and any regulation promulgated under 7
this Act in the same manner, by the same 8
means, and with the same jurisdiction, powers, 9
and duties as though all applicable terms and 10
provisions of the Federal Trade Commission 11
Act (15 U.S.C. 41 et seq.) were incorporated 12
into and made a part of this Act. 13
(B) PRIVILEGES AND IMMUNITIES.—Any 14
covered entity or service provider who violates 15
this Act or a regulation promulgated under this 16
Act shall be subject to the penalties and enti-17
tled to the privileges and immunities provided 18
in the Federal Trade Commission Act (15 19
U.S.C. 41 et seq.). 20
(C) COMMON CARRIERS AND NONPROFIT 21
ORGANIZATIONS.—Notwithstanding section 4, 22
5(a)(2), or 6 of the Federal Trade Commission 23
Act (15 U.S.C. 44, 45(a)(2), 46) or any juris-24
dictional limitation of the Commission, the 25
57
LYN20111 S.L.C.
LRM K7 5MY
Commission shall also enforce this Act, with re-1
spect to common carriers and nonprofit organi-2
zations described in section 2(4) of this Act, in 3
the same manner provided in subparagraphs 4
(A) and (B) of this paragraph. 5
(D) AUTHORITY PRESERVED.—Nothing in 6
this Act shall be construed to limit the Commis-7
sion’s authority under the Federal Trade Com-8
mission Act or any other provision of law. 9
(3) CIVIL PENALTIES.— 10
(A) IN GENERAL.—Notwithstanding sec-11
tion 5(m) of the Federal Trade Commission Act 12
(15 U.S.C. 45(m)), in an action brought by the 13
Commission to enforce this Act and the regula-14
tions promulgated under this Act, in addition to 15
any injunctive relief obtained by the Commis-16
sion in the action, a covered entity or service 17
provider shall be liable for a civil penalty in an 18
amount described in subparagraph (B) if the 19
covered entity or service provider, with actual 20
knowledge, violates this Act or a regulation pro-21
mulgated under this Act. 22
(B) AMOUNT.— 23
(i) CALCULATION.—Except as pro-24
vided in clause (ii), the amount of a civil 25
58
LYN20111 S.L.C.
LRM K7 5MY
penalty described in subparagraph (A) 1
shall be the number of individuals affected 2
by a violation described in that subpara-3
graph multiplied by an amount not to ex-4
ceed $42,530. 5
(ii) CONSIDERATIONS.—In deter-6
mining the amount of a civil penalty to 7
seek under subparagraph (A) for a viola-8
tion described in that subparagraph, the 9
Commission shall consider, with respect to 10
the covered entity or service provider that 11
committed the violation— 12
(I) the degree of harm associated 13
with the privacy and security of per-14
sonal data of individuals created by 15
the violation; 16
(II) the intent of the covered en-17
tity or service provider in committing 18
the violation; 19
(III) the size, complexity, and re-20
sources of the covered entity or serv-21
ice provider, including if it is a small 22
business; 23
59
LYN20111 S.L.C.
LRM K7 5MY
(IV) reasonable expectations re-1
lating to privacy and security of per-2
sonal data of individuals; 3
(V) the degree to which the cov-4
ered entity or service provider put in 5
place appropriate controls or complied 6
with the requirements of section 7, if 7
applicable; 8
(VI) whether the covered entity 9
or service provider self-reported the 10
violation to the Commission; and 11
(VII) what, if any, efforts the 12
covered entity or service provider has 13
taken to mitigate any risk to the pri-14
vacy and security of personal data of 15
individuals created by the processing. 16
(b) ENFORCEMENT BY STATE ATTORNEYS GEN-17
ERAL.— 18
(1) CIVIL ACTION.—In any case in which an at-19
torney general of a State has reason to believe that 20
an interest of the residents of that State has been 21
or is threatened or adversely affected by the engage-22
ment of any covered entity or service provider in a 23
practice that violates this Act or a regulation pro-24
mulgated under this Act, the attorney general of the 25
60
LYN20111 S.L.C.
LRM K7 5MY
State may, as parens patriae, bring a civil action on 1
behalf of the residents of the State in an appropriate 2
district court of the United States to— 3
(A) enjoin that practice; 4
(B) enforce compliance with this Act or the 5
regulation; or 6
(C) in the case of a violation described in 7
subsection (a)(3)(A), impose a civil penalty in 8
an amount described in subsection (a)(3)(B). 9
(2) RIGHTS OF THE COMMISSION.— 10
(A) NOTICE TO COMMISSION.— 11
(i) IN GENERAL.—Except as provided 12
in clause (iii), the attorney general of a 13
State shall notify the Commission in writ-14
ing that the attorney general intends to 15
bring a civil action under paragraph (1) 16
not later than 10 days before initiating the 17
civil action. 18
(ii) CONTENTS.—The notification re-19
quired by clause (i) with respect to a civil 20
action shall include a copy of the complaint 21
to be filed to initiate the civil action. 22
(iii) EXCEPTION.—If it is not feasible 23
for the attorney general of a State to pro-24
vide the notification required by clause (i) 25
61
LYN20111 S.L.C.
LRM K7 5MY
before initiating a civil action under para-1
graph (1), the attorney general shall notify 2
the Commission immediately upon insti-3
tuting the civil action. 4
(B) INTERVENTION BY THE COMMIS-5
SION.—The Commission may— 6
(i) intervene in any civil action 7
brought by the attorney general of a State 8
under paragraph (1); and 9
(ii) upon intervening under clause 10
(i)— 11
(I) be heard on all matters aris-12
ing in the civil action; and 13
(II) file petitions for appeal of a 14
decision in the civil action. 15
(3) CONSOLIDATION OF ACTIONS BROUGHT BY 16
TWO OR MORE STATE ATTORNEYS GENERAL.— 17
(A) IN GENERAL.—Subject to subpara-18
graph (B), if a civil action under paragraph (1) 19
is pending in a district court of the United 20
States and one or more civil actions are com-21
menced pursuant to paragraph (1) in a dif-22
ferent district court of the United States that 23
involve one or more common questions of fact, 24
all such civil actions shall be transferred for the 25
62
LYN20111 S.L.C.
LRM K7 5MY
purposes of consolidated pretrial proceedings 1
and trial to the United States District Court 2
for the District of Columbia. 3
(B) EXCEPTION.—A civil action shall not 4
be transferred pursuant to subparagraph (A) if 5
pretrial proceedings in such civil action have 6
concluded before the subsequent action is com-7
menced pursuant to paragraph (1). 8
(c) LIMITATION ON STATE ACTION WHILE FEDERAL 9
ACTION IS PENDING.—If the Commission institutes an 10
action under subsection (a) with respect to a violation of 11
this Act or a regulation promulgated under this Act, a 12
State may not, during the pendency of that action, insti-13
tute an action under subsection (b) against any defendant 14
named in the complaint in the action instituted by the 15
Commission based on the same set of facts giving rise to 16
the violation with respect to which the Commission insti-17
tuted the action. 18
(d) NO PRIVATE RIGHT OF ACTION.—There shall be 19
no private right of action under this Act and nothing in 20
this Act may be construed to provide a basis for a private 21
right of action. 22
SEC. 10. RELATION TO OTHER LAWS. 23
(a) CONGRESSIONAL INTENT TO PREEMPT STATE 24
PRIVACY AND SECURITY LAW.—It is the express intention 25
63
LYN20111 S.L.C.
LRM K7 5MY
of Congress to promote consistency in consumer expecta-1
tions, competitive parity, and innovation through the es-2
tablishment of a uniform Federal privacy framework that 3
preempts, and occupies the field with respect to, the au-4
thority of any State or political subdivision of a State over 5
the conduct or activities of covered entities covered by this 6
Act (or under a law enumerated in subsection (c)) relating 7
to the privacy or security of personal data, including con-8
sumer controls relating to personal data such as rights 9
to access, correction, and deletion. 10
(b) EXPRESS PREEMPTION OF STATE LAW.— 11
(1) IN GENERAL.—Except as provided in para-12
graph (2), this Act shall supersede any provision of 13
a law, rule, regulation, or other requirement of any 14
State or political subdivision of a State to the extent 15
that such provision relates to the privacy or security 16
of personal data. 17
(2) PRESERVATION OF STATE AND LOCAL 18
LAWS.—The provisions of this Act shall not be con-19
strued to preempt or supersede the applicability of 20
any of the following laws of a State or political sub-21
division of a State to the extent that such law is not 22
inconsistent with this Act: 23
(A) Laws that address notification require-24
ments in the event of a data breach. 25
64
LYN20111 S.L.C.
LRM K7 5MY
(B) Rules of criminal or civil procedure. 1
(C) Laws that relate to the general stand-2
ards of fraud or public safety. 3
(D) Laws that address the privacy of any 4
group of students (as defined in section 444(a) 5
of the General Education Provisions Act (20 6
U.S.C. 1232g(a)) (commonly referred to as the 7
‘‘Family Educational Rights and Privacy Act of 8
1974’’)). 9
(E) Laws that address financial informa-10
tion held by financial institutions (as defined in 11
section 509 of the Gramm-Leach-Bliley Act (15 12
U.S.C. 6809)). 13
(F) Laws that address protected health in-14
formation held by covered entities and business 15
associates (as such terms are defined for pur-16
poses of regulations promulgated under section 17
264(c) of the Health Insurance Portability and 18
Accountability Act of 1996 (42 U.S.C. 1320d– 19
2 note)). 20
(G) Laws governing employment and em-21
ployment-related data including data collected 22
or used by an employer pursuant to an em-23
ployer-employee relationship. 24
65
LYN20111 S.L.C.
LRM K7 5MY
(H) Laws protecting the right of individ-1
uals to be free of discrimination based on race, 2
sex, national origin, or other suspect classifica-3
tion identified under State law. 4
(c) RELATION TO OTHER FEDERAL LAWS.— 5
(1) IN GENERAL.—Except as otherwise pro-6
vided in paragraphs (2) and (4), this Act shall su-7
persede any other Federal statute or regulation re-8
lating to the privacy or security of personal data. 9
(2) SAVINGS PROVISION.—This Act shall not be 10
construed to modify, limit, or supersede the oper-11
ation of any of the following laws: 12
(A) The Children’s Online Privacy Protec-13
tion Act (15 U.S.C. 6501 et seq.). 14
(B) The Communications Assistance for 15
Law Enforcement Act (47 U.S.C. 1001 et seq.). 16
(C) Section 227 of the Communications 17
Act of 1934 (47 U.S.C. 227). 18
(D) Title V of the Gramm-Leach-Bliley 19
Act (15 U.S.C. 6801 et seq). 20
(E) The Fair Credit Reporting Act (15 21
U.S.C. 1681 et seq.). 22
(F) The Health Insurance Portability and 23
Accountability Act (Public Law 104–191). 24
66
LYN20111 S.L.C.
LRM K7 5MY
(G) The Health Information Technology 1
for Economic and Clinical Health Act (42 2
U.S.C. 17931 et seq.). 3
(H) Section 444 of the General Education 4
Provisions Act (20 U.S.C. 1232g) (commonly 5
referred to as the ‘‘Family Educational Rights 6
and Privacy Act of 1974’’). 7
(I) The Electronic Communications Pri-8
vacy Act (18 U.S.C. 2510 et seq.). 9
(J) The Driver’s Privacy Protection Act of 10
1994 (18 U.S.C. 2721 et seq). 11
(K) The Federal Aviation Act of 1958 (49 12
U.S.C. App. 1301 et seq.). 13
(3) DEEMED COMPLIANCE.—A covered entity 14
that is required to comply with a law specified in 15
paragraph (2) and is in compliance with the data 16
collection, processing, or security requirements of 17
such law shall be deemed to be in compliance with 18
the requirements of this Act with respect to personal 19
data covered by such law. 20
(4) NONAPPLICATION OF FCC LAWS AND REGU-21
LATIONS TO COVERED ENTITIES.—Notwithstanding 22
any other provision of law, neither any provision of 23
the Communications Act of 1934 (47 U.S.C. 151 et. 24
seq.) and all Acts amendatory thereof and supple-25
67
LYN20111 S.L.C.
LRM K7 5MY
mentary thereto nor any regulation promulgated by 1
the Federal Communications Commission under 2
such Acts shall apply to any covered entity with re-3
spect to the collection, use, processing, transferring, 4
or security of personal data, except to the extent 5
that such provision or regulation pertains solely to 6
‘‘911’’ lines or any other emergency line of a hos-7
pital, medical provider or service office, health care 8
facility, poison control center, fire protection agency, 9
or law enforcement agency. 10
SEC. 11. COMMISSION RESOURCES. 11
(a) APPOINTMENT OF ATTORNEYS, TECHNOLOGISTS, 12
AND SUPPORT PERSONNEL.—Notwithstanding any other 13
provision of law, the Chair of the Commission shall ap-14
point no fewer than 440 additional individuals to serve as 15
personnel to enforce this Act and other laws relating to 16
privacy and data security that the Commission is author-17
ized to enforce. 18
(b) ASSESSMENT OF COMMISSION RESOURCES.—Not 19
later than 1 year after the date of enactment of this Act, 20
the Commission shall submit to Congress a report that 21
includes— 22
(1) an assessment of the resources, including 23
personnel, available to the Commission to carry out 24
this Act; and 25
68
LYN20111 S.L.C.
LRM K7 5MY
(2) a description of any resources, including 1
personnel— 2
(A) that are not available to the Commis-3
sion; and 4
(B) that the Commission requires to effec-5
tively carry out this Act. 6
(c) AUTHORIZATION OF APPROPRIATIONS.—There 7
are authorized to be appropriated to the Commission such 8
sums as may be necessary to carry out this section. 9
SEC. 12. GUIDANCE AND REPORTING. 10
(a) INTERNATIONAL COORDINATION AND COOPERA-11
TION.— 12
(1) IN GENERAL.—If necessary, the Commis-13
sion shall coordinate any enforcement action by the 14
Commission under this Act with any relevant data 15
protection authority established by a foreign country 16
or any similar office of a foreign country in a man-17
ner consistent with subsections (j) and (k) of section 18
6 of the Federal Trade Commission Act (15 U.S.C. 19
46). 20
(2) INTERNATIONAL INTEROPERABILITY.—The 21
Secretary of Commerce, in consultation with the 22
Commission and the heads of other relevant Federal 23
agencies, shall— 24
69
LYN20111 S.L.C.
LRM K7 5MY
(A) identify laws of foreign countries or re-1
gions that relate to the processing of personal 2
data for commercial purposes; 3
(B) engage with relevant officials of for-4
eign countries or regions that have implemented 5
laws described in subparagraph (A) in order to 6
identify requirements under those laws that 7
could disrupt cross-border transfers of personal 8
data; 9
(C) develop mechanisms and recommenda-10
tions to prevent disruptions described in sub-11
paragraph (B); and 12
(D) not later than 1 year after the date of 13
enactment of this Act, and once a year each 14
year thereafter for 5 years, submit to Congress 15
a report on the progress of efforts made under 16
this section. 17
(b) REPORTS TO CONGRESS.—Not later than 180 18
days after the date of enactment of this Act, and not less 19
frequently than annually thereafter, the Commission shall 20
submit to Congress, and make available on a public 21
website, a report that contains information relating to— 22
(1) the effectiveness of this Act and regulations 23
promulgated under this Act; 24
70
LYN20111 S.L.C.
LRM K7 5MY
(2) compliance with the provisions of this Act 1
and regulations promulgated under this Act; 2
(3) violations of the provisions of this Act and 3
regulations promulgated under this Act; 4
(4) enforcement actions by the Commission and 5
State attorneys general for violations of the provi-6
sions of this Act and regulations promulgated under 7
this Act; 8
(5) priorities of the Commission in enforcing 9
the provisions of this Act and regulations promul-10
gated under this Act; and 11
(6) resources needed by the Commission to fully 12
implement and enforce the provisions of this Act and 13
regulations promulgated under this Act. 14
(c) STUDY AND REPORT BY THE GOVERNMENT AC-15
COUNTABILITY OFFICE.—Not later than 3 years after the 16
date of enactment of this Act, and once every 3 years 17
thereafter, the Comptroller General of the United States 18
shall submit to the President and Congress a report that 19
surveys Federal data privacy and security laws in order 20
to— 21
(1) identify any inconsistency between the re-22
quirements under this Act and the requirements 23
under any law related to the privacy and security of 24
personal data; 25
71
LYN20111 S.L.C.
LRM K7 5MY
(2) review the impact of the provisions of this 1
Act on small businesses and provide recommenda-2
tions, if necessary, to improve compliance and en-3
forcement; 4
(3) provide recommendations on amending Fed-5
eral data privacy and security laws in light of chang-6
ing technological and economic trends; and 7
(4) detail the Federal data privacy and security 8
enforcement activities carried out by the Commission 9
and other Federal agencies. 10
SEC. 13. SEVERABILITY. 11
If any provision of this Act or the application of such 12
provision to any person or circumstance is held to be un-13
constitutional, the remainder of this Act, and the applica-14
tion of the provision to any other person or circumstance, 15
shall not be affected. 16
SEC. 14. EFFECTIVE DATE. 17
This Act shall take effect on the date that is 1 year 18
after the date of enactment of this Act, except that section 19
10 shall take effect upon the date of enactment of this 20
Act. 21